syslog=yesFirst, the entry syslog=yes writes to the /var/log/secure, which renders stunnel.log to be redundant.
debug=7
output=/opt/stunnel/stunnel.log
Second, the debug of 7 is more than we need for production. Under normal load, does not log anything, including a restart of the service. Debug 5 gets the starts and stops, but logs three lines per transaction. It's a thin line to tread, but looks like I'm going to use 5.
Next problem is the fact that, as presented, the server will accept connections from anyone. The client's PEM was unused. We need to tell the server force clients authenticate. We'll do this with key exchange. Add two lines to the server's config file:
CAfile=/etc/stunnel/server.caWe won't really have a CA, but it will be close enough. Copy the server.pem to server.ca, which we modify in a few minutes.
verify=2
On the client:
echo "-----`hostname`-----" > `hostname -s`.crtShip this off to the server.
sed -ne '/BEGIN CERT/,/END CERT/p' \
<server.pem >>`hostname -s`.crt
On the server, we will add the CRT we just transferred from the client to the CA we created a few moments ago:
cat clientfile.crt >> server.caRestart stunnel on both ends. Unless a client's CRT has been added to the server's CA, they can't get in.
No comments:
Post a Comment